A Group Of Hackers Reportedly Brought The Entire MGM Hotel And Casino Chain In Vegas To Its Knees By Finding A Help Desk Employee On LinkedIn And Gaining Access To Their Backend System By Impersonating Them

WSJ - The bellman at the Bellagio Resort & Casino was frank with the couple in line to check their bags early Wednesday morning.

“Just to let you know,” he said, “everything’s a mess right now.”

The full fallout from a cyberattack at MGM Resorts this week remains unknown, though it has frustrated travelers at every turn. Snaking check-in lines have been the norm, show and restaurant reservations have been upside-down and some slot machines have been dark.

For a place that promotes digital everything, from mobile room keys to slot machine vouchers, it’s been back to basics. Call it Bizarro Old Vegas.

For anybody who's ever been to Las Vegas, you know MGM is the big dog in town. Between Caesars and them, they manage and operate the majority of the big resorts in new Vegas. MGM Resorts International has about 48,000 rooms on "The Strip".

So when reports say this affected their entire company portfolio, it means it's a big freaking deal.

This is going to be a two-part blog.

The first part, is the hell that Vegas tourists and MGM hotel and casino guests (and staff) have been experiencing since Monday.

On a sweep through half a dozen MGM casino hotels, I saw employees armed with clipboards and pens everywhere. It was the strangest site I’ve seen since MGM installed those handwashing stations on the casino floor when Las Vegas casinos reopened in June 2020 after the pandemic closure.

At Aria Resort & Casino, a crown jewel in the chain, concierges were pressed into service to help manually check out travelers. They wrote down guests’ names and emails on white slips of paper so they could send a receipt. Behind the front desk, tables were filled with binders of master keys in case the system went down again and guests couldn’t get into their rooms.

At the luxe Bellagio, home to the famous fountain show, the reservations desk for the Cirque du Soleil show “O” told visitors who wanted tickets they needed cash or could book through Ticketmaster. Buffet workers wrote out credit-card numbers. All parking was temporarily free.

You know what? We've all been somewhere when the credit card machines or POS system goes down haven't we? In the early days of Toast point of sale, their system used to go offline like once a night and we'd have to run peoples cards through the slide credit card machine that made an imprint on the carbon paper, old school. It sucks but it's doable. Or you just tell people they need to get cash. It's Vegas so that shouldn't be a problem at all…

Cash only except nowhere to actually get cash. Sounds about right. 

(Sidebar- speaking of this, have you been to bank lately and tried to make a large withdrawal? If you haven't pretend you never read this. If you have then you know, what the fuck is up with that? Aren't banks supposed to have large amounts of cash on hand? Why should it take a day or more for them to process your order like you're ordering from Amazon?)

I think the worst part of the Vegas experience is the check in process. Unless you're a whale or "invited guest", which I am sadly not ever, and you have your keys waiting for you when your driver picks you up at Harry Reid, you are forced to endure lines. And even if you have status it doesn't matter, because it's Las Vegas and so do hundreds of other people. Those "VIP Lounges" with the nice fancy doors to shield you from the heathens checking in normal lines, yah, grab some couch because the smoking hot chick behind the counter has three or four other guests to check in ahead of you. Every time. I have a fucking DJ residency at the brand new club out there (Zouk at Resorts World) and it still takes me 30-45 mins to check in every time I arrive. Even the new "mobile key" option never really flies because you still have to link it to your card at the desk for incidentals and sign the no smoking waiver.

And this is all when the systems are up and running fine.

Just how bad are the wait times at these check-in lines this week? Apparently more than six hours for some people. Check out this line at Bellagio… it looks like the DMV.

Six hours? Fuck that noise. I don't care how high your points are with MGM or what your loyalty status is with MGM, six hours is an obscene amount of time to waste. Cancel that shit and book a room next door somewhere else.

They canceled the reservation and fled to Planet Hollywood Resort & Casino, part of MGM rival Caesars Entertainment, which dealt with its own cyberattack late this summer. It was the best option, he said, with some hotels charging rates as high as $1,300 a night.

Welp nevermind. $1300 for a regular, non-suite room in Vegas is bananas. Good to see the competition praying on the vulnerable.

So switching hotels is out of the question. Just leave your bags with the bellhop, and go kill the six hours at a blackjack or craps table right? Or slots even. Feed that thing 100 dollars, spin the minimum, take your time, drink your face off and watch the hours go by.

Slot machine players at all the casinos had to play a waiting game. The machines couldn’t spit out the vouchers players receive when they hit the cash-out button. So attendants scurried around manually paying the balance, a practice typically employed when someone wins a jackpot.

Shari MacDonald is bummed she can’t access the casino freeplay she gets from her loyalty status and can’t cash in comps for free tickets to comedian Carrot Top at Luxor and other shows they wanted to see. She’s not mad, though.

“I’m being very patient and tolerant, because I can’t imagine how they’re feeling losing millions a day,” she says.

Oh Shari, Shari baby, are you fucking nuts? Why do you give a fuck about Vegas losing millions of dollars a day? You think Vegas gives a fuck about you? See if you can't pay your rent go ask Vegas and see what it tells you. Vegas don't care about you, so why should you care about it? Nobody cares.

Well it's the hospitality capital of the world, surely they're taking care of these poor people stuck waiting in lines for six hours to get access to their rooms they paid for right?

On Wednesday, Bellagio tried to lessen the sting by setting up a free coffee stand near guest elevators, with almond milk and Irish cream and hazelnut creamers. At check-in, they served sparkling wine to lessen the lobby shock. Employees at Bellagio, Excalibur and other hotels also offered free water. 

Laugh out loud. Free coffee and cream? Clearing out your prosecco inventory that hasn't moved since 2020? Aww really guys you shouldn't have. 

It's not just affecting the check-in process, or gaming on the casino floor either. Room keys are fucked.

ABC - Several major hotels in Las Vegas, including the Bellagio, were left with faulty door locks, inoperable slot machines and other problems Monday after hotel officials said they were hit with a cyberattack. The outage, first detected on Sunday night, has affected company emails, reservations, room keys and casino slot machines.

The FBI said it is investigating the attack on MGM Resorts International hotels and has been in contact with the chain since Sunday. The hotel company said in a statement Monday morning that "it took prompt action to protect our system and data, including shutting down certain systems." 

Guests told 8NewsNow they were locked out of their rooms on Sunday night and unable to buy food due to the system outage.

Some have claimed they were left unable to claim their ticket and cash out after playing at the casino's slot machines. 

The outage appears to be affecting MGM properties outside of Vegas, including the Borgata in Atlantic City, New Jersey, and the Mississippi-based Biloxi.

Now let's get to Blackcat, the hacker group.

Forbes - On Tuesday night, VX-Underground, a malware research group with nearly 229,000 followers on X, posted that ransomware-as-a-service group ALPHV, also known as BlackCat, claimed responsibility for executing the attack by using social engineering to identify on LinkedIn an MGM employee who worked in IT support. The next step was simply to call the MGM help desk. Astonishingly, the attack took about 10 minutes to execute.

ALPHV is an extremely well-known black-hat actor in the cybersecurity industry, thought to be responsible for attacks against Reddit and Western Digital, among others. In April 2022, CISA, America’s cyber defense agency, issued an alert based on an FBI flash report on ALPHV, noting the criminal group had “compromised at least 60 entities worldwide.”

It’s clear that what MGM has called a “cybersecurity issue” will be extremely costly. In the quarter that ended on June 30, the company reported that its Las Vegas Strip properties generated revenue of $1.2 billion just from hotel rooms and casinos. Based on those figures, MGM’s Vegas Strip properties bring in more than $13 million per day in revenue.

It’s still not clear exactly what the hackers have. “But based on incidents that we see,” says Hamerstone, “it’s oftentimes multifold. So if hackers have encrypted your system, they’ll want a ransom to give you the key or to give access back. But they’ll also oftentimes take data and then threaten to release it if you don’t pay them.”

I'm not really going to comment on this because hackers scare the ever-loving shit out of me. These people are nihlists who believe in nothing and have zero problem wreaking havoc on anybody and everybody and demanding outrageous sums of money to make it stop. I already said too much.

They're also very, very smart, and cunning.

The amount of the ransom is also unknown. “But you just have to remember that these are very sophisticated, very well-organized groups. They they do a lot of research,” Hamerstone says. “We’ve seen that once attackers are in the system, they will sometimes look for your cyber insurance policy to see how much you’re covered for and then ask for that amount.”

And they show no mercy.

Network In Vegas - Alarmingly, the internal sources revealed that hundreds of guests had reported these fraudulent charges, fueling suspicions that the hacking group might have gained access to sensitive financial and payment details stored in MGM’s systems. The situation has bred a rising tide of panic among those who have recently used MGM Resorts services or the BetMGM app in recent months. Anyone using these services should verify their bank and card statements for unauthorized transactions.

This development comes hot on the heels of revelations from insiders at Caesars Entertainment, who disclosed that Caesars Entertainment paid millions to a hacking group back in August, to avert a similar cyber onslaught. The hacking group is known for its proficient social engineering skills, leveraging them to infiltrate large corporate networks. In Caesars’ case, the entry point was an external IT vendor, marking the start of the sinister operation on August 27, before delving deeper into the company’s network.

So how exactly did they do this? 

TheStack - The group suggested in a subsequent post that the attack had been conducted by a suspected English-speaking big game-hunting cybercriminal group associated with ALPHV/aka BlackCat, known as Scattered Spider by prominent cybersecurity company CrowdStrike.

Its reported affiliate Scattered Spider has been described as being known for attacks "which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access”

The group also uses MFA fatigue and SIM swapping techniques. vx-underground did not detail the precise approach the alleged social engineering attack took. Simply pretending to be IT support, saying that malicious software has been identified on the victim’s machine and that you need remote access that requires the targeted user to download a particular legitimate tool has worked for many penetration testers.

(There's a ton more tech jargon in that article detailing the approach they think the hackers took that I won't bore you with but if you're into that stuff or understand it, it's worth the read.)

How much do you think this is costing MGM a day?

By now we've all seen the Brad Pitt, George Clooney Oceans movies right? Those are just fiction and they've managed to peel back the curtain a tiny bit to show the public how over-the-top Las Vegas casino security is and how tightly they guard their money. Unless you're Scott Caan, there's no fucking way you can breach a Vegas casino's security. Right?

InfoSecurity - "MGM Resorts has a history of gambling with people's data. For instance, in 2019 a security breach occurred which led them to disclose that the details of 10 million guests were taken. However, it wasn't until the data was made public by the attacker that MGM Resorts revealed they were wrong about how much data was taken by over an order of great magnitude. As a result, 142 million users details were actually taken in the original breach,” he told Infosecurity.

“When an intruder has access to systems inside a casino network the stakes are high. While MGM Resorts appear to have carried out a series of undisclosed preventative measures, after causing major disruptions to casino operations, information regarding their next steps remains scarce. If data has been taken we will know about it soon due to Nevada's data breach reporting laws."

So how much are the hackers demanding MGM pay? 

Well, rumors floating around the Vegas media sites claim $30 million dollars. 

(That's the same price they originally demanded from Caesars back when they reportedly hacked them.)

Casino.org - Our sources say Caesars Entertainment paid $15 million to the hackers to resolve its data breach. The original demand was $30 million. (We are not making this up. Caesars talked them down like an episode of “Pawn Stars.”) An SEC disclosure is anticipated tomorrow (Sep. 14, 2023), before the market opens. It’s not anticipated the disclosure will include the ransom specifics.

Can you imagine being the poor schmuck who's used to fielding calls all day from guests who can't logon to the internet, and staff who's computers freeze or they can't clock in, just going through the motions day in and day out, getting this call and not even thinking twice about it? Now their employer is on the hook for tens of millions of dollars in lost revenue and a giant ransom number to get it back on track. Back in my law firm days I failed to run a conflict check properly on a prospective client because I misspelled their name, the firm billed thousands of dollars in hours before my mistake was caught. The leading attorney was fucking ripshit and went out of his way to let me know. I showed up early, took the stairs to avoid bumping into anybody important, for like 2 months. Ate lunch at my desk and wouldn't take a bathroom break unless I was going to explode because I was so embarrassed. And that was just a few thousand dollars mistake. This is MILLIONS! This poor guy or girl has got to be on suicide watch.

The latest word is MGM got things back online late last night. Though not sure if they paid the ransom or not.

What a wild few days in Vegas. 

p.s. -